# Git Secret Scanner — Leaked API Keys & Credentials (gitleaks) (`ntriqpro/gitleaks-secret-scanner`) Actor

Scan any public Git repository for leaked secrets — API keys, tokens, passwords, private keys — using the open-source gitleaks engine. Secrets are masked in output. For authorized security audits and your own repositories.

- **URL**: https://apify.com/ntriqpro/gitleaks-secret-scanner.md
- **Developed by:** [daehwan kim](https://apify.com/ntriqpro) (community)
- **Categories:** Developer tools, Business
- **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks
- **User rating**: No ratings yet

## Pricing

$50.00 / 1,000 secret founds

This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events.

Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event

## What's an Apify Actor?

Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases.
In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours,
and optionally produces a well-defined JSON output, datasets with results, or files in key-value store.
In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server.
Actors are written with capital "A".

## How to integrate an Actor?

If asked about integration, you help developers integrate Actors into their projects.
You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready.
The best way to integrate Actors is as follows.

In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md):

```bash
npm install apify-client
```

In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md):

```bash
pip install apify-client
```

In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md):

````bash
# MacOS / Linux
curl -fsSL https://apify.com/install-cli.sh | bash
# Windows
irm https://apify.com/install-cli.ps1 | iex
```bash

In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md).

If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md).

For usage examples, see the [API](#api) section below.

For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt).


# README

## Git Secret Scanner — Leaked API Keys & Credentials (gitleaks)

Scan any **public Git repository for leaked secrets** — API keys, access tokens, passwords, private keys, database URLs, and 150+ other credential types — powered by [gitleaks](https://github.com/gitleaks/gitleaks) (MIT), the most widely used open-source secret-detection engine. Discovered secrets are **masked by default**, so you get the leak's rule, file, line, and commit without re-exposing the raw credential.

Built for **developers, security engineers, and DevSecOps teams** who need to audit a repository for accidentally committed secrets — before attackers find them.

> **Legal & ethical notice:** This Actor is an unofficial integration of gitleaks (gitleaks/gitleaks) and is not affiliated with or endorsed by the original project. Scan only **public** repositories that you own or are authorized to audit. Secret values are masked by default. Use the results to *remediate* leaks, not to exploit them. Comply with all applicable laws and the repository's terms of service.

### What does this Actor do?

Give it a **public repo URL** (e.g. `https://github.com/owner/repo`) and it will:

1. Clone the repository (current files, or full commit history if you enable `scanHistory`).
2. Run gitleaks' 150+ detection rules to find hardcoded secrets.
3. Return each finding — **rule, file, line number, commit, and a masked preview** of the secret.

Running on Apify gives you scheduling, a REST API, dataset exports (JSON/CSV/Excel), and monitoring — so you can audit repos on a recurring schedule and catch new leaks early.

### Why use this Actor?

- **Pre-release security audit** — make sure no API keys shipped in your code.
- **Supply-chain / dependency review** — check a third-party public repo before you adopt it.
- **Continuous monitoring** — schedule scans and diff results to catch newly committed secrets.
- **Incident response** — quickly enumerate where a leaked credential appears across history.

### How to use it

1. Paste a **public repo URL** (`https://github.com/owner/repo`).
2. Leave `maskSecrets` on (recommended). Turn on `scanHistory` for a deeper, slower scan of every commit.
3. Run it. Each detected secret becomes one dataset row.
4. Export to CSV/JSON/Excel or pull via the API. Schedule for ongoing monitoring.

### Input

| Field | Type | Description |
|---|---|---|
| `repoUrl` | string | Public HTTPS repo URL (GitHub/GitLab/Bitbucket). **Required.** |
| `scanHistory` | boolean | Scan full commit history (slower, deeper). Default `false`. |
| `maskSecrets` | boolean | Mask secret values in output (default `true`, recommended). |
| `maxResults` | integer | Cap on findings returned/charged (default 200, max 1000). |
| `timeout` | integer | Max seconds for clone + scan (default 300). |

### Output

Each detected secret is one dataset record. Download as JSON, HTML, CSV, or Excel.

```json
{
  "repoUrl": "https://github.com/owner/repo",
  "ruleId": "github-pat",
  "secretType": "Uncovered a GitHub Personal Access Token...",
  "filePath": "config/.env",
  "startLine": 12,
  "commit": "a1b2c3d",
  "secretMasked": "ghp_…ef (len 40)",
  "entropy": "4.42",
  "scannedAt": "2026-06-29T00:00:00+00:00"
}
````

### Data fields

| Field | Description |
|---|---|
| `ruleId` | gitleaks rule that matched (e.g. `aws-access-token`, `github-pat`) |
| `secretType` | Human description of the secret type |
| `filePath` | File where the secret was found (repo-relative) |
| `startLine` | Line number |
| `commit` | Commit hash (when scanning history) |
| `secretMasked` | Masked preview of the secret (full value hidden unless `maskSecrets:false`) |
| `entropy` | Shannon entropy of the match |

### Pricing / Cost estimation

**Pay-per-result: $0.05 per leaked secret discovered.** A clean repo costs nothing (no findings = no charge); a repo with a handful of leaks costs a few cents. Invalid input and clean scans are free. New Apify users get free monthly credits.

### Tips & advanced options

- Start with `scanHistory:false` (fast). Enable it only when you need to find secrets buried in old commits.
- Keep `maskSecrets:true` — you get the rule, file, and line to remediate without re-leaking the value. Turn it off only on your own repos when you need the raw value.
- Schedule weekly scans and diff results to catch newly committed secrets.

### FAQ, disclaimers & support

**Is this legal?** It scans only **public** repositories you provide — the same code anyone can `git clone`. Secrets are masked by default and the tool is intended for **defensive auditing and remediation**. Scan only repos you own or are authorized to audit, and use findings to fix leaks, not exploit them.

**Known limitations:** Detection follows gitleaks' rule set; very large histories may hit the timeout (raise `timeout` or use `scanHistory:false`). Private repos are not supported (public only).

- Found a bug or need a custom security solution? Open an issue in the **Issues** tab.

***

### 🔗 Related Actors by ntriqpro

Build your full security & OSINT stack:

- [**dnstwist-osint**](https://apify.com/ntriqpro/dnstwist-osint) — Typosquatting & phishing domain detector
- [**maigret-actor**](https://apify.com/ntriqpro/maigret-actor) — Username OSINT across 3000+ sites
- [**email-osint-search**](https://apify.com/ntriqpro/email-osint-search) — Find which 120+ sites an email is registered on
- [**theharvester-osint**](https://apify.com/ntriqpro/theharvester-osint) — Subdomains, hosts & emails for a domain

### ⭐ Love it? Leave a Review

Your rating helps other developers secure their repos. [Rate it here](https://apify.com/ntriqpro/gitleaks-secret-scanner/reviews).

# Actor input Schema

## `repoUrl` (type: `string`):

HTTPS URL of a PUBLIC Git repo to scan, e.g. https://github.com/owner/repo. Only scan repositories you own or are authorized to audit.

## `scanHistory` (type: `boolean`):

If on, clones full history and scans every commit (slower, deeper). If off, scans only the current files (fast).

## `maskSecrets` (type: `boolean`):

Mask secret values in output (recommended). Turn off only for your own repositories.

## `maxResults` (type: `integer`):

Maximum secrets to return and charge for (hard cap 1000).

## `timeout` (type: `integer`):

Maximum time for clone + scan.

## Actor input object example

```json
{
  "repoUrl": "https://github.com/gitleaks/gitleaks",
  "scanHistory": false,
  "maskSecrets": true,
  "maxResults": 200,
  "timeout": 300
}
```

# Actor output Schema

## `results` (type: `string`):

No description

# API

You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup.

## JavaScript example

```javascript
import { ApifyClient } from 'apify-client';

// Initialize the ApifyClient with your Apify API token
// Replace the '<YOUR_API_TOKEN>' with your token
const client = new ApifyClient({
    token: '<YOUR_API_TOKEN>',
});

// Prepare Actor input
const input = {
    "repoUrl": "https://github.com/gitleaks/gitleaks",
    "maxResults": 200,
    "timeout": 300
};

// Run the Actor and wait for it to finish
const run = await client.actor("ntriqpro/gitleaks-secret-scanner").call(input);

// Fetch and print Actor results from the run's dataset (if any)
console.log('Results from dataset');
console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`);
const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
    console.dir(item);
});

// 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs

```

## Python example

```python
from apify_client import ApifyClient

# Initialize the ApifyClient with your Apify API token
# Replace '<YOUR_API_TOKEN>' with your token.
client = ApifyClient("<YOUR_API_TOKEN>")

# Prepare the Actor input
run_input = {
    "repoUrl": "https://github.com/gitleaks/gitleaks",
    "maxResults": 200,
    "timeout": 300,
}

# Run the Actor and wait for it to finish
run = client.actor("ntriqpro/gitleaks-secret-scanner").call(run_input=run_input)

# Fetch and print Actor results from the run's dataset (if there are any)
print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"])
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

# 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start

```

## CLI example

```bash
echo '{
  "repoUrl": "https://github.com/gitleaks/gitleaks",
  "maxResults": 200,
  "timeout": 300
}' |
apify call ntriqpro/gitleaks-secret-scanner --silent --output-dataset

```

## MCP server setup

```json
{
    "mcpServers": {
        "apify": {
            "command": "npx",
            "args": [
                "mcp-remote",
                "https://mcp.apify.com/?tools=ntriqpro/gitleaks-secret-scanner",
                "--header",
                "Authorization: Bearer <YOUR_API_TOKEN>"
            ]
        }
    }
}

```

## OpenAPI specification

```json
{
    "openapi": "3.0.1",
    "info": {
        "title": "Git Secret Scanner — Leaked API Keys & Credentials (gitleaks)",
        "description": "Scan any public Git repository for leaked secrets — API keys, tokens, passwords, private keys — using the open-source gitleaks engine. Secrets are masked in output. For authorized security audits and your own repositories.",
        "version": "1.0",
        "x-build-id": "NUbsKMqf03cF5VzjG"
    },
    "servers": [
        {
            "url": "https://api.apify.com/v2"
        }
    ],
    "paths": {
        "/acts/ntriqpro~gitleaks-secret-scanner/run-sync-get-dataset-items": {
            "post": {
                "operationId": "run-sync-get-dataset-items-ntriqpro-gitleaks-secret-scanner",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        },
        "/acts/ntriqpro~gitleaks-secret-scanner/runs": {
            "post": {
                "operationId": "runs-sync-ntriqpro-gitleaks-secret-scanner",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor and returns information about the initiated run in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/runsResponseSchema"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/acts/ntriqpro~gitleaks-secret-scanner/run-sync": {
            "post": {
                "operationId": "run-sync-ntriqpro-gitleaks-secret-scanner",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        }
    },
    "components": {
        "schemas": {
            "inputSchema": {
                "type": "object",
                "required": [
                    "repoUrl"
                ],
                "properties": {
                    "repoUrl": {
                        "title": "Public Git Repository URL",
                        "type": "string",
                        "description": "HTTPS URL of a PUBLIC Git repo to scan, e.g. https://github.com/owner/repo. Only scan repositories you own or are authorized to audit."
                    },
                    "scanHistory": {
                        "title": "Scan full commit history",
                        "type": "boolean",
                        "description": "If on, clones full history and scans every commit (slower, deeper). If off, scans only the current files (fast).",
                        "default": false
                    },
                    "maskSecrets": {
                        "title": "Mask discovered secrets",
                        "type": "boolean",
                        "description": "Mask secret values in output (recommended). Turn off only for your own repositories.",
                        "default": true
                    },
                    "maxResults": {
                        "title": "Max findings",
                        "minimum": 1,
                        "maximum": 1000,
                        "type": "integer",
                        "description": "Maximum secrets to return and charge for (hard cap 1000)."
                    },
                    "timeout": {
                        "title": "Timeout (seconds)",
                        "minimum": 30,
                        "maximum": 600,
                        "type": "integer",
                        "description": "Maximum time for clone + scan."
                    }
                }
            },
            "runsResponseSchema": {
                "type": "object",
                "properties": {
                    "data": {
                        "type": "object",
                        "properties": {
                            "id": {
                                "type": "string"
                            },
                            "actId": {
                                "type": "string"
                            },
                            "userId": {
                                "type": "string"
                            },
                            "startedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "finishedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "status": {
                                "type": "string",
                                "example": "READY"
                            },
                            "meta": {
                                "type": "object",
                                "properties": {
                                    "origin": {
                                        "type": "string",
                                        "example": "API"
                                    },
                                    "userAgent": {
                                        "type": "string"
                                    }
                                }
                            },
                            "stats": {
                                "type": "object",
                                "properties": {
                                    "inputBodyLen": {
                                        "type": "integer",
                                        "example": 2000
                                    },
                                    "rebootCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "restartCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "resurrectCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "computeUnits": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "options": {
                                "type": "object",
                                "properties": {
                                    "build": {
                                        "type": "string",
                                        "example": "latest"
                                    },
                                    "timeoutSecs": {
                                        "type": "integer",
                                        "example": 300
                                    },
                                    "memoryMbytes": {
                                        "type": "integer",
                                        "example": 1024
                                    },
                                    "diskMbytes": {
                                        "type": "integer",
                                        "example": 2048
                                    }
                                }
                            },
                            "buildId": {
                                "type": "string"
                            },
                            "defaultKeyValueStoreId": {
                                "type": "string"
                            },
                            "defaultDatasetId": {
                                "type": "string"
                            },
                            "defaultRequestQueueId": {
                                "type": "string"
                            },
                            "buildNumber": {
                                "type": "string",
                                "example": "1.0.0"
                            },
                            "containerUrl": {
                                "type": "string"
                            },
                            "usage": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "integer",
                                        "example": 1
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "usageTotalUsd": {
                                "type": "number",
                                "example": 0.00005
                            },
                            "usageUsd": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "number",
                                        "example": 0.00005
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
```
